Description

The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character.

Remediation

References

https://github.com/jaw187/node-traceroute/commit/b99ee024a01a40d3d20a92ad3769cc78a3f6386f

https://github.com/jaw187/node-traceroute/tags

https://medium.com/%40shay_62828/shell-command-injection-through-traceroute-npm-package-a4cf7b6553e3

https://snyk.io/vuln/npm:traceroute:20160311

https://www.linkedin.com/posts/op-innovate_shell-command-injection-through-traceroute-activity-6678956453086191616-Rcpy

https://www.npmjs.com/advisories/1465

https://www.npmjs.com/package/traceroute

https://www.op-c.net/2020/06/17/shell-command-injection-through-traceroute-npm-package/

Related Vulnerabilities

CVE-2019-1354 Vulnerability in maven package org.webjars.npm:nodegit

CVE-2020-28196 Vulnerability in npm package node-krb5

CVE-2020-25711 Vulnerability in maven package org.infinispan:infinispan-server-runtime

CVE-2021-40331 Vulnerability in maven package org.apache.ranger:ranger-hive-plugin

CVE-2022-44729 Vulnerability in maven package org.apache.xmlgraphics:batik-bridge

Severity

Critical

Classification

CWE-74 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Exploit Product